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DETAILED ACTION 

Remarks 

1. Content leaving a local network can be captured. Objects captured over a 
network by a capture system can be indexed to provide enhanced search and 
content analysis capabilities. In one embodiment the objects can be indexed 
using a data structure having a source address field to indicate an origination 
address of the object, a destination address field to indicate a destination 
address of the object, a source port field to indicate an origination port of the 
object, a destination port field to indicate a destination port of the object, a 
content field to indicate a content type from a plurality of content types identifying 
a type of content contained in the object, and a time field to indicate when the 
object was captured. The data structure may also store a cryptographic signature 
of the object to ensure the object is not altered after capture. However, this 
inventive concept has been repeatedly done by the following prior arts. 

2. (U.S. 7,185,073 B1) by Gai et al. ("Gai") 

3. "Cryptographic Hash Functions" by Bart Preneel ("Preneel"). 

Response to Arguments 

4. Applicant's arguments filed on 02/25/2010 have been fully considered but 
they are not persuasive for the following reasons: 

Applicant argues that Gai does not disclose "object of a communication 
captured, extracted, and stored". However, Gai discloses (on column 8 lines 31- 
52) software entities executing on the various end stations and servers typically 
communicate with each other by exchanging discrete packets or frames of data 
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according to predefined protocols, such as the Transmission Control 
Protocol/Internet Protocol (TCP/IP), the Internet Packet Exchange (IPX) 
protocol, the AppleTalk protocol, the DECNet protocol or NetBIOS Extended 
User Interface (NetBEUI). In this context, a protocol consists of a set of rules 
defining how the entities interact with each other. Data transmission over the 
network consists of generating data in a sending process executing on a first 
end station, passing that data down through the layers of a protocol stack where 
the data are sequentially formatted for delivery over the links as bits. Those 
frame bits are then received at the destination station where they are re- 
assembled and passed up the protocol stack to a receiving process. Each 
layer of the protocol stack typically adds information (in the form of a header) to 
the data generated by the upper layer as the data descends the stack. At the 
destination station, these headers are stripped off one-by-one as the frame 
propagates up the layers of the stack until it arrives at the receiving process. 

Applicant argues that Gai does not disclose "generating a tag describing 
an object of a communication in which the fields of the tag are obtained from the 
communication". However, Gai discloses (on Figures 7A and 7B) the tag 
describing an object of a communication which including the fields (such as 
Network Protocol/Port Number, IP address, etc.) are obtained from the 
communication. 

Examiner respectfully disagrees with all other allegations as argued as will 
be discussed in detail below. Examiner, in her previous office action gave detail 
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explanation of claimed limitation and pointed out exact locations in the cited prior 
art. 

Examiner is entitled to give claim limitations their broadest reasonable 
interpretation in light of the specification. See MPEP 21 1 1 [R-1] 

Interpretation of Claims-Broadest Reasonable Interpretation 

During patent examination, the pending claims must be 'given the 
broadest reasonable interpretation consistent with the specification'. 

Applicant always has the opportunity to amend the claims during 
prosecussion and broad interpretation by the examiner reduces the possibility 
that the claim, once issued, will be interpreted more broadly than is justified. In 
re Prater, 162 USPW 541 ,550-51 (CCPA 1969). 
5. 

Claim Rejections - 35 USC §102 

6. The following is a quotation of the appropriate paragraphs of 35 
U.S.C. 102 that form the basis for the rejections under this section made in this 
Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 
122(b), by another filed in the United States before the invention by the applicant for 
patent or (2) a patent granted on an application for patent by another filed in the United 
States before the invention by the applicant for patent, except that an international 
application filed under the treaty defined in section 351(a) shall have the effects for 
purposes of this subsection of an application filed in the United States only if the 
international application designated the United States and was published under Article 
21(2) of such treaty in the English language. 

7. Claims 1-9 and 26 are rejected under 35 U.S.C. 102(e) as being 
anticipated by U.S. 7,185,073 B1 issued to Gai et al. ("Gai"). 
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As per claim 1 , Gai teaches "a computer readable medium having stored 
thereon data representing instructions that, when executed by a processor, 
cause the processor to perform operations comprising": 
generating a tag describing an object of a communication captured during 
transmission of the communication from an origination address to a destination 
address, extracted from the communication, and stored in a memory block, 
wherein the tag includes, (column 8 lines 31-52) 

"a source address field to indicate an origination address of the object," (column 
1 lines 17-66, column 2 lines 1-66, column 3 lines 1-10, column 3 lines 12-34, 
column 3 lines 51-66, column 4 lines 1-16, column 8 lines 31-66, column 9 lines 

I- 4, column 15 lines 11-66, column 16 lines 1-5), 

"a destination address field to indicate a destination address of the object," 
(column 1 lines 17-66, column 2 lines 1-66, column 3 lines 1-10, column 3 lines 
12-34, column 3 lines 51-66, column 4 lines 1-16, column 8 lines 31-66, column 9 
lines 1 -4, column 1 5 lines 1 1 -66, column 1 6 lines 1 -5), 
"a source port field to indicate an origination port of the object," (column 1 lines 
17-66, column 2 lines 1-66, column 3 lines 1-10, column 3 lines 12-34, column 3 
lines 51-66, column 4 lines 1-16, column 8 lines 31-66, column 9 lines 1-4, 
column 1 5 lines 1 1 -66, column 1 6 lines 1 -5), 

"a destination port field to indicate a destination port of the object," (column 1 
lines 17-66, column 2 lines 1-66, column 3 lines 1-10, column 3 lines 51-66, 
column 4 lines 1-16, column 8 lines 31-66, column 9 lines 1-4, column 15 lines 

II- 66, column 16 lines 1-5), 
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"a content field to indicate a content type from a plurality of content types 
identifying a type of content contained in the object," (column 1 1 lines 48-66, Fig. 
7B, Fig. 6), and 

"a time field to indicate when the object was captured," (column 14 lines 30-46); 
and 

"storing the tag in a database, wherein the tag indexes the object in the memory 
block, the tag being stored to allow subsequent searching for the object based on 
one or more of the fields, wherein the fields are obtained from the communication 
(Figures 7A, 7B). 

As per claim 2, Gai further shows "the plurality of content types," 
comprises: 

"JPEG, GIF, BMP, TIFF, PNG, Skintone, PDF, MSWord, Excel, PowerPoint, 
MSOffice, HTML, WebMail, SMTP, Telnet, Rlogin, FTP, Chat, GZIP, ZIP, TAR, 
C++ Source, C Source, FORTRAN Source, Verilog Source, C Shell, K Shell, 
Bash Shell, Plaintext, Crypto, LIF, Binary Unknown, ASCII Unknown, and 
Unknown," (column 1 1 lines 48-66, Fig. 7B, Fig. 6). 

As per claim 3, Gai further shows "generating a device identity field to 
indicate a device that captured the object," (column 12 lines 46-66, column 13 
lines 1-6). 

As per claim 4, Gai further shows "generating a protocol field to indicate 
the protocol that carried the object," (column 12 lines 46-66, column 13 lines 1-6, 
Fig. 7B). 
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As per claim 5, Gai further shows "an instance field to indicate a 
number of the object in a connection," (column 14 lines 30-62). 

As per claim 6, Gai further shows "generating an encoding field to indicate 
a how the object was encoded," (column 19 lines 1-14, column 19 lines 26-37). 

As per claim 7, Gai further shows "generating a size field to indicate the 
size of the object," (column 8 lines 40-52). 

As per claim 8, Gai further shows "generating an owner field to indicate an 
entity that requested capture of the object," (column 12 lines 10-23, column 18 
lines 37-66). 

As per claim 9, Gai further shows "generating a capture rule field to 
indicate a rule that triggered capture of the object," (column 19 lines 1-37). 

As per claim 26, Gai teaches "a method to index a captured object, 
comprising": 

generating for storage of objects of a communication captured during 
transmission of the communication from an origination address to a destination 
address, extracted from the communication, and stored in a memory block": 
"a source address field to indicate an origination address of the object," (column 
1 lines 17-66, column 2 lines 1-66, column 3 lines 1-10, column 3 lines 12-34, 
column 3 lines 51-66, column 4 lines 1-16, column 8 lines 31-66, column 9 lines 
1-4, column 15 lines 11-66, column 16 lines 1-5); 

"a destination address field to indicate a destination address of the object," 
(column 1 lines 17-66, column 2 lines 1-66, column 3 lines 1-10, column 3 lines 
12-34, column 3 lines 51-66, column 4 lines 1-16, column 8 lines 31-66, column 9 
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lines 1 -4, column 1 5 lines 1 1 -66, column 1 6 lines 1 -5); 

"a source port field to indicate an origination port of the object; a destination port 
field to indicate a destination port of the object," (column 1 lines 17-66, column 2 
lines 1-66, column 3 lines 1-10, column 3 lines 12-34, column 3 lines 51-66, 
column 4 lines 1-16, column 8 lines 31-66, column 9 lines 1-4, column 15 lines 
11-66, column 16 lines 1-5); 

"a content field to indicate a content type from a plurality of content types 
identifying a type of content contained in the object," (column 8 lines 31-52, 
column 1 1 lines 48-66, Fig. 7B, Fig. 6); and 

"a time field to indicate when the object was captured," (column 14 lines 30-46); 
and 

"storing data in the fields to create a tag, the tag indexing the objects in the 
memory block, the tag being stored to allow subsequent searching for the object 
based on one or more of the fields, wherein the fields are obtained from the 
communication (Figures 7A, 7B). 

8. Claim Rejections - 35 USC §103 

9. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived 
by the manner in which the invention was made. 
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Claims 10-17 and 27 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over U.S. 7,185,073 B1 issued to Gai et al. ("Gai") and in view of 
"Cryptographic Hash Functions" issued to Bart Preneel ("Preneel"). 

As per claim 10, Gai does not explicitly teach "generating a signature field 
to store a signature of the object". However, Preneel teaches a similar data 
structure of hash function (pages 2-5 sections 2-2.3). Thus, it would have been 
obvious to one of ordinary skill in the art at the time of the invention was made to 
provide the data structure of Gai with the teaching of Preneel by using the hash 
function to solve the security problems in telecommunication and computer 
networks. 

As per claim 1 1 , Gai does not explicitly teach "the signature comprises a 
digital cryptographic signature". However, Preneel teaches a hash function to 
generate signature (pages 2-5 sections 2-2.3). Thus, it would have been obvious 
to one of ordinary skill in the art at the time of the invention was made to provide 
the data structure of Gai with the teaching of Preneel by using the hash function 
to solve the security problems in telecommunication and computer networks. 

As per claim 12, Gai does not explicitly teach "generating a tag signature 
field to store a signature of the data structure". However, Preneel teaches a 
similar data structure of hash function (pages 2-5 sections 2-2.3). Thus, it would 
have been obvious to one of ordinary skill in the art at the time of the invention 
was made to provide the data structure of Gai with the teaching of Preneel by 
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using the hash function to solve the security problems in telecommunication and 
computer networks. 

As per claim 13, Gai does not explicitly teach "the tag signature comprises 
a digital cryptographic signature". However, Preneel teaches a hash function to 
generate signature (pages 2-5 sections 2-2.3). Thus, it would have been obvious 
to one of ordinary skill in the art at the time of the invention was made to provide 
the data structure of Gai with the teaching of Preneel by using the hash function 
to solve the security problems in telecommunication and computer networks. 

1 0. As per claim 14, Gai explicitly teaches "a computer readable medium 
having stored thereon data representing instructions that, when executed by a 
processor, cause the processor to perform operations comprising": 
storing data associated with an object of a communication captured during 
transmission of the communication from an origination address to a destination 
address, extracted from the communication, and stored in a memory block by a 
capture system to create a tag that indexes the object in the memory block, the 
data comprising: 

"an Ethernet controller MAC address of the capture system that captured the 
object," (column 1 lines 17-66, column 2 lines 1-66, column 3 lines 1-10, column 
8 lines 53-66, column 9 lines 1-4, column 8 lines 31-66, column 9 lines 1-4); 
"a source Ethernet IP address of the object," (column 1 lines 17-66, column 2 
lines 1-66, column 3 lines 1-10, column 3 lines 12-34, column 3 lines 51-66, 
column 4 lines 1-16, column 8 lines 31-66, column 9 lines 1-4, column 15 lines 
1 1 -66, column 1 6 lines 1 -5); 
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"a destination Ethernet IP address of the object," (column 1 lines 17-66, column 2 
lines 1-66, column 3 lines 1-10, column 3 lines 12-34, column 3 lines 51-66, 
column 4 lines 1-16, column 8 lines 31-66, column 9 lines 1-4, column 15 lines 
1 1 -66, column 1 6 lines 1 -5); 

"a source TCP/IP port number of the object," (column 1 lines 17-66, column 2 
lines 1-66, column 3 lines 1-10, column 3 lines 12-34, column 3 lines 51-66, 
column 4 lines 1-16, column 8 lines 31-66, column 9 lines 1-4, column 15 lines 
1 1 -66, column 1 6 lines 1 -5); 

"a destination TCP/IP port number of the object," (column 1 lines 17-66, column 2 
lines 1-66, column 3 lines 1-10, column 3 lines 51-66, column 4 lines 1-16, 
column 8 lines 31 -66, column 9 lines 1 -4, column 1 5 lines 1 1 -66, column 1 6 lines 
1-5); 

"an IP protocol that carried the object when captured by the capture 

system," (column 1 lines 17-66, column 2 lines 1-66, column 3 lines 1-10, column 

3 lines 12-34, column 3 lines 51-66, column 4 lines 1-16, column 8 lines 31-66, 

column 9 lines 1-4, column 15 lines 11-66, column 16 lines 1-5); 

"a canonical count of a number of the object within a TCP/IP connection," 

(column 2 lines 15-27); 

"a content type of the object," (column 11 lines 48-66, Fig. 7B, Fig. 6); 

"an encoding that was used on the object," (column 19 lines 1-14, column 19 

lines 26-37); 

"a size of the object," (column 8 lines 40-52); 
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"a timestamp indicating when the capture system captured the object," (column 
14 lines 30-46); 

"a user who requested capture of the object," (column 12 lines 10-23, column 18 
lines 37-66); 

"a capture rule that directed capture of the object," (column 19 lines 1-37); 
the tag being stored to allow subsequent searching for the object based on one 
or more of the fields, wherein the IP address are obtained from the 
communication (Figures 7A, 7B). 

Gai does not explicitly teach "a hash signature of the object" and "a hash 
signature of the tag". However, Preneel teaches hash function of the object and 
hash function of the tag to generate tag signature and verify if they have been 
modified (pages 2-5 sections 2-2.3). Thus, it would have been obvious to one of 
ordinary skill in the art at the time of the invention was made to provide the data 
structure of Gai with the teaching of Preneel by using the hash function to solve 
the security problems in telecommunication and computer networks. 

As per claim 15, Gai does not explicitly teach "the hash signature of the 
object comprises a digital cryptographic signature of the object". However, 
Preneel teaches a hash function to generate signature (pages 2-5 sections 2- 
2.3). Thus, it would have been obvious to one of ordinary skill in the art at the 
time of the invention was made to provide the data structure of Gai with the 
teaching of Preneel by using the hash function to solve the security problems in 
telecommunication and computer networks. 
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As per claim 16, Gai does not explicitly teach "the hash signature of the 
tag comprises a digital cryptographic signature of the tag". However, Preneel 
teaches a hash function to generate signature (pages 2-5 sections 2-2.3). Thus, 
it would have been obvious to one of ordinary skill in the art at the time of the 
invention was made to provide the data structure of Gai with the teaching of 
Preneel by using the hash function to solve the security problems in 
telecommunication and computer networks. 

As per claim 17, Gai explicitly teaches "the content type of the object is 
one of JPEG, GIF, BMP, TIFF, PNG, Skintone, PDF, MSWord, Excel, 
PowerPoint, MSOffice, HTML, WebMail, SMTP, Telnet, Rlogin, FTP, Chat, GZIP, 
ZIP, TAR, C++ Source, C Source, FORTRAN Source, Verilog Source, C Shell, K 
Shell, Bash Shell, Plaintext, Crypto, LIF, Binary Unknown, ASCII Unknown, and 
Unknown," (column 1 1 lines 48-66, Fig. 7B, Fig. 6). 

.As per claim 27, Gai explicitly teaches "a method to index a captured 
object, comprising": 

storing data associated with an object of a communication captured during 
transmission of the communication from an origination address to a destination 
address, extracted from the communication, and stored in a memory block by a 
capture system to create a tag indexing the object in the memory block, the data 
comprising: 

"an Ethernet controller MAC address of the capture system that captured the 
object," (column 1 lines 17-66, column 2 lines 1-66, column 3 lines 1-10, column 
8 lines 53-66, column 9 lines 1-4, column 8 lines 31-66, column 9 lines 1-4); 
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"a source Ethernet IP address of the object," (column 1 lines 17-66, column 2 
lines 1-66, column 3 lines 1-10, column 3 lines 12-34, column 3 lines 51-66, 
column 4 lines 1-16, column 8 lines 31-66, column 9 lines 1-4, column 15 lines 
1 1 -66, column 1 6 lines 1 -5); 

"a destination Ethernet IP address of the object," (column 1 lines 17-66, column 2 
lines 1-66, column 3 lines 1-10, column 3 lines 12-34, column 3 lines 51-66, 
column 4 lines 1-16, column 8 lines 31-66, column 9 lines 1-4, column 15 lines 
1 1 -66, column 1 6 lines 1 -5); 

"a source TCP/IP port number of the object," (column 1 lines 17-66, column 2 
lines 1-66, column 3 lines 1-10, column 3 lines 12-34, column 3 lines 51-66, 
column 4 lines 1-16, column 8 lines 31-66, column 9 lines 1-4, column 15 lines 
11-66, column 16 lines 1-5); 

"a destination TCP/IP port number of the object," (column 1 lines 17-66, column 2 
lines 1-66, column 3 lines 1-10, column 3 lines 51-66, column 4 lines 1-16, 
column 8 lines 31 -66, column 9 lines 1 -4, column 1 5 lines 1 1 -66, column 1 6 lines 
1-5); 

"an IP protocol that carried the object when captured by the capture 

system," (column 1 lines 17-66, column 2 lines 1-66, column 3 lines 1-10, column 

3 lines 12-34, column 3 lines 51-66, column 4 lines 1-16, column 8 lines 31-66, 

column 9 lines 1-4, column 15 lines 11-66, column 16 lines 1-5); 

"a canonical count of a number of the object within a TCP/IP 

connection," (column 2 lines 15-27); 

"a content type of the object," (column 11 lines 48-66, Fig. 7B, Fig. 6); 
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"an encoding that was used on the object," (column 19 lines 1-14, column 19 
lines 26-37); 

"a size of the object," (column 8 lines 40-52); 

"a timestamp indicating when the capture system captured the 

object," (column 14 lines 30-46); 

"a user who requested capture of the object," (column 12 lines 10-23, column 18 
lines 37-66); 

"a capture rule that directed capture of the object," (column 19 lines 1-37); 
"the tag being stored to allow subsequent searching for the object based on one 
or more of the fields, wherein the IP addresses are obtained from the 
communication (Figures 7A, 7B). 

Gai does not explicitly teach "a hash signature of the object", 
"a hash signature of the object", and "a hash signature of the tag". However, 
Preneel teaches hash function of the object and hash function of the tag to 
generate tag signature and verify if they have been modified (pages 2-5 sections 
2-2.3). Thus, it would have been obvious to one of ordinary skill in the art at the 
time of the invention was made to provide the data structure of Gai with the 
teaching of Preneel by using the hash function to solve the security problems in 
telecommunication and computer networks. 



Application/Control Number: 10/814,093 Page 16 

Art Unit: 2163 

Conclusion 

1 1 . THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of 
time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire 
THREE MONTHS from the mailing date of this action. In the event a first reply is 
filed within TWO MONTHS of the mailing date of this final action and the advisory 
action is not mailed until after the end of the THREE-MONTH shortened statutory 
period, then the shortened statutory period will expire on the date the advisory 
action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be 
calculated from the mailing date of the advisory action. In no event, however, will 
the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 
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Contact Information 

12. Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Kim T. Nguyen whose telephone number is 
(571)270-1757. The examiner can normally be reached on 7:30AM to 5:00PM 
East. Alt Friday off. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Don Wong can be reached on (571)272-1834. The fax 
phone number for the organization where this application or proceeding is 
assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). If you would like assistance from a USPTO Customer Service 
Representative or access to the automated information system, call 800-786- 
9199 (IN USA OR CANADA) or 571-272-1000. 



May 12, 2010 



IK. T. N./ 

Examiner, Art Unit 2163 
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Supervisory Patent Examiner, Art Unit 2163 
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